CERT-UA Uncovers Gamaredon’s Rapid Data Exfiltration Tactics After Initial Compromise
The Russian-linked threat actor known as Gamaredon has been observed carrying out data exfiltration activities within an hour of the initial compromise.
“As the main compromise vector, for the most part, emails and messages on messengers (Telegram, WhatsApp, Signal) were used, in most cases, using previously compromised accounts,” Computer Emergency Response Team of Ukraine (CERT-UA) said in a cohort analysis published last week.
Gamaredon, also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is thought to have infected thousands of government computers.
It was also one of the many defending Russian hacking crews active presence since the start of the Russo-Ukrainian war in February 2022, leveraged phishing campaigns to send PowerShell backdoors such as GammaSteel to perform reconnaissance and execute additional commands.
The message usually contains an archive containing HTM or HTA files which, when opened, activate an attack sequence.
According to CERT-UA, GammaSteel is used to extract files that match a certain set of extensions – .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, . ps1, .rar, .zip, .7z, and .mdb – within 30 to 50 minutes.
The group has also been observed consistently evolving its tactics, utilizing the USB infection technique for propagation. A host operating in a compromised state for a week could have between 80 and 120 malicious files, the agency noted.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
Also significant are threat actors’ use of AnyDesk software for interactive remote access, PowerShell scripts for session hijacking to bypass two-factor authentication (2FA), and Telegram and Telegraph to retrieve command-and-control (C2) server information.
“Attackers take discrete actions to ensure fault tolerance of their network infrastructure and avoid detection at the network level,” CERT-UA said. “During the day, the IP address of the intermediate control node can change from 3 to 6 or more times, which, among other things, indicates the appropriate automation of processes.”
